Using Public-Private Key encryption and authentication brings many benefits, but has one important requirement which must be observed in order for it to work. Namely,
the private keys must be kept secret so that encrypted data cannot be decrypted by unauthorized entities and the owner of the private key cannot be impersonated.
-
Private keys must never be transmitted in plain format over a network. If you have to transmit it, at the very least you must encrypt it locally, then transmit it,
and finally decrypt it locally on the recipient side. You can use asymmetric or symmetric encryption as appropriate.
-
Private keys must be never stored on a server where anyone unauthorized to see the key will have access to it. For example, private keys must never be uploaded on
a shared hosting server, even if stored in a private folder, since the administrators have access to it.
-
There should be a copy of the private key on a media (CD, etc) or device (flash drive, etc). The media or device must be stored in a physical location in which they
will be safe and secure. It is also good practice to store the key in an encrypted format.
-
Depending on the circumstances, it may be good practice to keep a work copy of the private key on a media or device and access it from there.
-
There are two possible solutions in an environment where the private key must be handled by more than one person (individual or
organization) where the key must be present only, and only when all persons or their representatives are present.
-
Split the private key to pieces using the
Split File functionality of the
Quantifier module of
Act On File and give one piece of the private key to each person. Later, when the private key is required, use the
Join Files functionality of the
Quantifier module to recreate the private key. It is advisable that the individual
pieces are stored in a secure manner as any fully functional private key. Note that it is important to join the pieces in the same order as they were split.
Using split by template would append an appropriate piece number to each newly extracted piece from the private key. Later when joining them the pieces can be
easily ordered by this number and correctly joined to recreate the private key.
-
Encrypt the private key once for each person with their private encryption using the
Encrypt Files functionality of the
Cryptor module of
Act On File. Lather when the private key is required use the
Decrypt Files functionality of the
Cryptor module to restore the private key to its original form.
Note that the decryptions must be made by each participating person, and in order reverse to the order in which the key was encrypted.
-
Using suitable specialized software for password and key maintenance and storage may be also advisable and good practice.
|